Unable to obtain ACME certificate: Cloudflare did not return the expected TXT record

Traefik Traefik v3 (latest)
1

I have had Traefik (3.3.1 currently) setup in Docker for almost a year and have never had any issues. However, I noticed that my TLS certificates expired and the dreaded "Your connection is not private" message started to appear.

Currently the error that is being displayed in Traefik's logs is the following:

INF Starting provider aggregator *aggregator.ProviderAggregator
INF Starting provider *file.Provider
INF Starting provider *traefik.Provider
INF Starting provider *acme.ChallengeTLSALPN
INF Starting provider *docker.Provider
INF Starting provider *acme.Provider
INF Testing certificate renew... acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=cloudflare.acme
ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [domain.tld *.domain.tld]: error: one or more domains had a problem:\n[*.domain.tld] propagation: time limit exceeded: last error: authoritative nameservers: NS roxy.ns.cloudflare.com.:53 did not return the expected TXT record [fqdn: _acme-challenge.domain.tld., value: Kj700S41-s3niKhtNsFlBp7RmuF-VHpkfn4rW3hQXi0]: \n" ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["domain.tld","*.domain.tld"] providerName=cloudflare.acme routerName=traefik-secure@file rule=Host(`traefik-dashboard.domain.tld`)

Things I have tried:

  • Tried both Staging and Production with letsencrypt.org.
  • Ensured that proxying or any DNS security features are disabled.
  • Re-creating my DNS API token.

I can see that the TXT file is being generated on my DNS Admin page in Cloudflare and looks to be correct.

I have also looked at a lot of other threads where the same error came up and have not gotten a clear definition to why this would happen. It also seemed that the other threads were using different providers such as GoDaddy. I will also note that a friend is experiencing the same issue right around when my Traefik instance started to show this error.

traefik.yml

api:
  dashboard: true
  debug: true
log:
  level: INFO
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml
certificatesResolvers:
  cloudflare:
    acme:
      email: 'example@email.com'
      storage: acme.json
      #caServer: 'https://acme-v02.api.letsencrypt.org/directory'
      caServer: 'https://acme-staging-v02.api.letsencrypt.org/directory'
      keyType: EC256
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"

config.yml

http:
  routers:
    traefik:
      entrypoints:
        - http
      rule: Host(`traefik-dashboard.domain.tld`)
      service: "api@internal"
    traefik-secure:
      entrypoints:
        - https
      rule: Host(`traefik-dashboard.domain.tld`)
      middlewares:
        - traefik-auth
      service: "api@internal"
      tls:
        certResolver: cloudflare
        domains:
          - main: "domain.tld"
            sans:
              - "*.domain.tld"
  middlewares:
    traefik-auth:
      basicAuth:
        users:
          - "..."
    traefik-https-redirect:
      redirectScheme:
        scheme: "https"
    sslheader:
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: "https"
2

I have actually discovered why this is no longer working!

I have a Dream Machine Pro and and an update changed the way their AdBlocking works. Seems like it was blocking https://acme-v02.api.letsencrypt.org!

So, If you have any UniFi equipment, make sure you add a rule to Allow Letsencrypt's API.

1 Like